Summary of the invention
The technical problem to be solved in the present invention is at the defective that exists in the prior art, and a kind of resource access control method and system are provided, can be to the mass data control that conducts interviews effectively.
In order to solve the problems of the technologies described above, resource access control method of the present invention comprises the steps:
Resource management step, this step are used for resource is divided into n resource group, and wherein n is a natural number;
Rights management step, this step are used for giving the user who carries out resource access with right assignment; A described authority is made up of a responsibility and a management domain; Wherein, described responsibility is the set of function, and which kind of operation the expression user can carry out to accessed resources; Described management domain is the set of described resource group, the scope that the expression user can accessed resources;
Authority steps in decision-making, this step are used for when user access resources, according to the described authority that this user is assigned with, this user's visit are controlled.
Further, described resource group is with the tree tissue.
Further, in the described rights management step, a user can be assigned with more than one described authority.
Further, the inventive method also comprises the management domain switch step, and this step is used for managing the switching in territory when the user need visit different management domains.
In order to solve the problems of the technologies described above, resource access control system of the present invention comprises:
Resource management module, this module are used for resource is divided into n resource group, and wherein n is a natural number;
Authority management module, this module are used for giving the user who carries out resource access with right assignment; A described authority is made up of a responsibility and a management domain; Wherein, described responsibility is the set of function, and which kind of operation the expression user can carry out to accessed resources; Described management domain is the set of described resource group, the scope that the expression user can accessed resources;
Authority decision-making module, this module are used for when user access resources, according to the described authority that this user is assigned with, this user's visit are controlled.
Further, described resource comprises the object of deriving of source material and source material.
Further, described resource management module also is used for, and the object of deriving for the described source material of new generation according to predefined new resources grouping strategy, adds it in corresponding described resource group.
Further, described function refers to the function that each operation system is registered on described resource access control system.
Further, described function comprises Function Identification, feature path and function apply property; Wherein, described Function Identification is the display Name of function, described feature path is function of unique identification in described resource access control system, and described function apply property is differentiated in function and explained and application by described operation system after the back returns to described operation system by session.
Further, described authority decision-making module comprises function decision-making module and group filtering module; Wherein, described function decision-making module is used for determining according to the responsibility that the user is assigned with which kind of operation this user can carry out to accessed resources; Described group of filtering module is used for determining the scope that this user can accessed resources according to the management domain that the user is assigned with.
Beneficial effect of the present invention is:
The invention provides a kind of access control method and system based on responsibility and management domain, the resource access authority is licensed to the user by responsibility and management domain, make the user in inquiry, visit, use resource in the restriction that all is subjected to authority aspect function and the resource two; For the object of deriving of resource, can carry out the restriction of function and resource two aspects too.
The inventive method and system operation are easy, and cost is low, especially make the access control of mass data become practical.The inventive method and system are the system that monitoring, audit etc. relate to mass data, and particularly relevant trusteeship service provides the solution of rights management.
Embodiment
Below in conjunction with the drawings and specific embodiments the present invention is described in further detail.
Resource access control method of the present invention comprises resource management step, rights management step and authority steps in decision-making, is specifically described respectively below:
The resource management step be used for the mode of resource group organize, managing controlled accessed resources; The resource management step is divided into n resource group with resource, and wherein n is a natural number.The resource group is the tissue and the way to manage of managed resource, and the resource group is with the tree tissue.The resource group itself is an abstract object, it can be extensive flexibly is polytype object, the user can set up corresponding resource model at the business model of oneself, for example business, physical location, security domain, administrative department etc., correspondingly the authorization object in licensing process also will be the object that business, physical location, security domain, administrative department these and customer service are combined closely.
The rights management step is used for giving the user who carries out resource access with right assignment.An authority is made up of a responsibility and a management domain, i.e. rights management comprises responsibility management and management domain management.Wherein, responsibility is the set of function, and which kind of operation the expression user can carry out to accessed resources.Function is not solidified, but derive from each subsystem in the operation system (such as browse, inquiry, form etc.) by function register each subsystem function is dynamically added in the general collection of function.Function is made up of three the most basic key elements: Function Identification, feature path and function apply property.Function Identification is the display Name of function, and feature path is function of unique identification in resource access control system of the present invention, and the function apply property is differentiated in function and explained and application by subsystem after the back returns to subsystem by session.Function by feature path with the tree structure tissue.When responsibility has been bound certain function A, do not select other functions when the child node of function A, represent that then this responsibility comprises all subfunctions of function A and function A.Management domain is the set of resource group, the scope that the expression user can accessed resources.Resource group of binding in management domain, the resource group adopts tree, its inherited characteristics is supported in resource access control system of the present invention, promptly this resource group and all son groups thereof are included in this management domain, the resource that resource group and son group thereof are comprised, the scope of the resource that all belongs to this management domain and comprised.What management domain comprised is not only resource (being source material), also comprises the resource object (in auditing system, resource refers to equipment, the resource daily record that object refers to that equipment produces of deriving, audit log enormous amount usually, number is in necessarily often) of deriving.The distribution of authority refers to, according to service needed, give the personnel of resource access or tissue (management domain and a responsibility be combined as an authority, a user can obtain authority such more than) with a management domain and allocation of duties, finish the distribution of authority.
The authority steps in decision-making is used for according to the authority that this user is assigned with, this user's visit being controlled when main body (user) visit object (resource).The authority steps in decision-making comprises function steps in decision-making and group filtration step.Wherein, the function steps in decision-making is used for determining according to the responsibility that the user is assigned with which kind of operation this user can carry out to accessed resources; The group filtration step is used for determining the scope that this user can accessed resources according to the management domain that the user is assigned with.
After the user landed, the authority that selection is had was set up session, will be subjected to the restriction of responsibility and management domain simultaneously when the user conducts interviews to resource.Whether at first the function steps in decision-making is obtained this user's responsibility by user's session, judge to allow this user to carry out this operation.Then, the group filtration step obtains all groups of this management domain according to the information of this user place management domain, and the resource in this group set is the actual scope that can accessed resources of this user.
Fig. 1 is a resource access control method schematic flow sheet of the present invention, and as shown in the figure, resource access control method of the present invention specifically comprises the steps:
1, definition is with the mode management resource of tree-like resource group.
Here resource comprises the object of deriving of source material and source material.
2, operation system is registered business function in the mode of registration.
3, responsibility is defined as the set of the function that obtains in the step 2, is about to the function set and is tied on the responsibility.Function has the characteristic of succession.
4, management domain is defined as the set of resource group, the set that is about to the resource group is tied on the management domain.The resource group has the characteristic of succession.
5, carry out right assignment for the personnel or the tissue of resource access a management domain and an allocation of duties.Wherein, a user can be assigned with more than one described authority.
6, definitions section strategy (being grouping strategy) is promptly set what group label which type of new resources is stamped.The group label is the important sign that authority is differentiated, and comprises the unique identification (group id) and the group policy condition code of group, and a strategy can corresponding a plurality of group policy condition codes.The group policy condition code can be quoted when responsibility defines.
7, add fashionablely as the new resource object of deriving in the resource access control system running, stamp the group label to new resources according to group policy.
8, set up session after the user logins.
9, during user access resources, at first the action of user's operation is differentiated, then the scope of its visit is filtered.
If 10 users will operate the resource or the function of different management domains, then manage the territory and switch.
Fig. 2 is the resource access control system structural representation, and Fig. 3 is a resource access control system operation principle schematic diagram, and as shown in the figure, resource access control system of the present invention comprises resource management module, authority management module and authority decision-making module.
Wherein, resource management module is used for the management to managed resource.Mode with the resource group is organized, managing controlled accessed resources; The resource group is the tissue and the way to manage of managed resource, and the resource group is with the tree tissue.In mandate and authentication process, also will make full use of tree-like feature.The resource group itself is an abstract object, it can be extensive flexibly is polytype object, the user can set up corresponding resource model at the business model of oneself, for example business, physical location, security domain, administrative department etc., correspondingly the authorization object in licensing process also will be the object that business, physical location, security domain, administrative department these and customer service are combined closely.
Resource management module also is used for according to predefined new resources grouping strategy, and the new resource object of deriving is added in the corresponding resource group.The new resources grouping strategy is the rule to new resources setting group label, promptly sets which type of new resources and stamps what group label.The group label is the important sign that authority is differentiated, and comprises the unique identification (group id) and the group policy condition code of group, is used for following authority decision-making.According to all grouping strategies, in the group label tangent plane after new resources dynamically insert inlet, give on the managed resource that increases newly and stamp the group label automatically.If one is awarded the control resource not in any grouping strategy, this resource will enter default set so; And if resource is derived object, then resource just enters in the group of this resource object.The resource object of deriving is an example with the daily record, will locate this resource place group according to the pairing resource of daily record (equipment) after receiving a daily record, can storing daily record when storage in, can preservation group label information.
Authority management module is used for the definition of authority and the distribution of authority, and the information of decision-making is provided for the authority steps in decision-making.Rights management is made up of two parts, i.e. responsibility management and management domain management.
Wherein the responsibility management is the management of the authority set of function type.Responsibility is managed by the set of the function that operation system is registered and is distributed to a responsibility, finishes the binding of responsibility and function.Function is not solidified, but derive from each subsystem in the operation system (such as browse, inquiry, form etc.) by function register each subsystem function is dynamically added in the general collection of function.Function is made up of three the most basic key elements: Function Identification, feature path and function apply property.Function Identification is the display Name of function, and feature path is function of unique identification in resource access control system of the present invention, and the function apply property is differentiated in function and explained and application by subsystem after the back returns to subsystem by session.Function by feature path with the tree structure tissue.When responsibility has been bound certain function A, do not select other functions when the child node of function A, represent that then this responsibility comprises all subfunctions of function A and function A.
Management domain refers to the set of managed resource and derivative thereof, is certain scope of resource that user or user group can be managed.
The management domain management is the management of resource collection.The management domain management is finished the binding of management domain and resource group by giving a management domain with the subset allocation of resource group, and the resource group is the least unit of management domain mandate.Resource group of binding in management domain, the resource group adopts tree, its inherited characteristics is supported in resource access control system of the present invention, promptly this resource group and all son groups thereof are included in this management domain, the resource that resource group and son group thereof are comprised, the scope of the resource that all belongs to this management domain and comprised.What management domain comprised is not only resource (being source material), also comprises the resource object (in auditing system, resource refers to equipment, the resource daily record that object refers to that equipment produces of deriving, audit log enormous amount usually, number is in necessarily often) of deriving.The distribution of authority refers to, according to service needed, give the personnel of resource access or tissue (management domain and a responsibility be combined as an authority, a user can obtain authority such more than) with a management domain and allocation of duties, finish the distribution of authority.
The authority decision-making module is used for carrying out the authority decision-making when main body (user) visit object (resource).The authority decision-making module comprises function decision-making module and group filtering module.Wherein, the function decision-making module is used for determining according to the responsibility that the user is assigned with which kind of operation this user can carry out to accessed resources; The group filtering module is used for determining the scope that this user can accessed resources according to the management domain that the user is assigned with.
After the user landed, the authority that selection is had was set up session, will be subjected to the restriction of responsibility and management domain simultaneously when the user conducts interviews to resource.Whether at first the function decision-making module obtains this user's responsibility by user's session, judge to allow this user to carry out this operation.Then, the group filtering module obtains all groups of this management domain according to the information of this user place management domain, and the resource in this group set is the actual scope that can accessed resources of this user.
Be example with the security event management system below, the inventive method is further elaborated.
Security incident may derive from various safety means, and equipment is to manage as resource, and resource access control had both comprised the access control to equipment, also comprised the access control of the security incident that equipment is produced.Usually because the security incident enormous amount, a lot of safety management platform thereby abandoned relevant access control.
In the methods of the invention, at first with the mode management equipment of tree type group.During Fig. 4 gives an actual example, carry out resource organizations, under the resource management root node, comprise two resource groups with professional visual angle, be respectively professional S1 and professional S2, comprise two resources among the professional S1, be i.e. equipment Res1 and the Res2 of system, comprise two resources among the professional S2, i.e. equipment Res3 and the Res4 of system.Resource is an important component part of access control, but is not all, and access control will comprise the relevant derivation information of resource and these resources, running status for example, running log, run case etc.With high-risk incident is example, sets up high-risk event-resources group in the drawings, does not have any resource in resource management.By the definition grouping strategy, then can define the label that the high-risk incident that produces in each equipment adds high-risk event-resources group.And define two kinds of condition codes, and a kind of is common, a kind of is secret.This condition code will be registered in the resource access control system automatically.
The function set of in resource access control system of the present invention, showing after the function register of illustrating among Fig. 5 is finished.Function represents with tree structure.The registration in the business function subsystem (such as browsing, inquiry, form etc.) function 1 and subfunction thereof are example: subsystem is the url (for example: " functional tree/function 1/ function 1.1 ", " functional tree/function 1/ function 1.2 ") with "/" symbol segmentation with its subsystem that need control arrangement, and the set of title, attribute, pass through registering functional then, the function dynamic registration of business function subsystem advances resource access control system of the present invention, represents with tree structure.Also represented the condition code " functional tree/high-risk incident/HE. is common " that defines in the grouping strategy here, and " functional tree/high-risk incident/HE. maintains secrecy ".
What illustrate among Fig. 6 is that the establishment of authority is the definition of authority.The definition of authority is divided into two parts in resource access control system of the present invention, and a part is that this part is managed by responsibility to the set of function (or action type); Another part is the delimitation to the resource and the object range of deriving thereof, i.e. management domain management.What the left side was represented in the drawings is the responsibility management, has defined two responsibilities, responsibility OD1 and secret management domain in the responsibility management.Wherein responsibility OD1 comprises that a function consolidation function 1 (this means that this responsibility comprises function 1.1 and function 1.2) and HE. are common.Wherein responsibility secret management domain comprises that function HE. maintains secrecy.Function of use sets definition responsibility can be simplified the definition of function set.Management domain then is the definition of compass of competency, the right expression in the drawings.At the root of management domain two management domains of having given a definition, management domain MD1 and management domain MD2.Distribute the professional S1 of resource group among the management domain MD1, distributed high-risk incident among the management domain MD2.
Illustrated the mode of right assignment among Fig. 7.Authority is that responsibility and management domain combine.Authority both can have been distributed to department's (or be called user group, under this department everyone will have this authority); Authority also can directly be distributed to the user.The D1 of department shown in the figure has distributed rights management territory MD1 and responsibility OD1, means that then user U1 and user U2 can both be to the resources of management domain MD1 scope, and the resource object of deriving, the authority of the OD1 that discharges duties.User U3 has distributed authority one (management domain MD1 and responsibility OD2) respectively, authority two (management domain MD2 and secret keeper).User U3 is not having associated responsibilities in the same area, in resource access control system of the present invention the user simultaneously can only be in a territory exercise the right, be that user U3 is after management domain MD1 carries out function 2.2, must manage the territory switching if want the responsibility of carrying out secret keeper at management domain MD2, if there is not other business function control, user U3 then can check in the high-risk incident of each equipment and relate to secret daily record so.
Implement the embodiment of the invention,, and the resource access authority licensed to the user by responsibility and management domain by mode management equipment with tree type group, make the user in inquiry, visit, use resource in the restriction that all is subjected to authority aspect function and the resource two.And resource access control not only comprises the access control to safety means, also comprises the access control of the security incident that safety means are produced, and makes safety management platform to realize effective access control to the magnanimity security incident.
Above-described specific embodiment, purpose of the present invention, technical scheme and beneficial effect are further described, institute it should be noted, the above only is specific embodiments of the invention, and those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of the technical scheme of claim record of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.